https://pdos.csail.mit.edu/6.828/2018/labs/lab1/
版本:
qemu:QEMU emulator version 1.5.3 (qemu-kvm-1.5.3-167.el7_7.4), Copyright (c) 2003-2008 Fabrice Bellardcentos:CentOS-7-x86_64-Minimal-1908gdb:GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-115.el7The ROM BIOS 这个章节,A 窗口 make qemu-gdb,B 窗口 make gdb
A:
/usr/libexec/qemu-kvm -drive file=obj/kern/kernel.img,index=0,media=disk,format=raw -serial mon:stdio -gdb tcp::25000 -D qemu.log -S
VNC server running on `::1:5900'
B si 单步调试:
[f000:fff0] 0xffff0: ljmp $0xf000,$0xe05b
[f000:e05b] 0xfe05b: cmpl $0x0,%cs:0x69c8
[f000:e062] 0xfe062: jne 0xfd0f7
[f000:e066] 0xfe066: xor %dx,%dx
[f000:e068] 0xfe068: mov %dx,%ss
[f000:e070] 0xfe070: mov $0xf1399,%edx
[f000:e076] 0xfe076: jmp 0xfcf8c
[f000:cf8c] 0xfcf8c: cli
[f000:cf8d] 0xfcf8d: cld
[f000:cf8e] 0xfcf8e: mov %eax,%ecx
[f000:cf91] 0xfcf91: mov $0x8f,%eax
[f000:cf97] 0xfcf97: out %al,$0x70
[f000:cf9b] 0xfcf9b: in $0x92,%al
[f000:cf9d] 0xfcf9d: or $0x2,%al
[f000:cf9f] 0xfcf9f: out %al,$0x92
[f000:cfa4] 0xfcfa4: lidtw %cs:0x69b8
[f000:cfaa] 0xfcfaa: lgdtw %cs:0x6974
[f000:cfb0] 0xfcfb0: mov %cr0,%ecx
[f000:cfb3] 0xfcfb3: and $0x1fffffff,%ecx
[f000:cfba] 0xfcfba: or $0x1,%ecx
[f000:cfbe] 0xfcfbe: mov %ecx,%cr0
切入 PE 之后:
The target architecture is assumed to be i386
=> 0xfcfc9: mov $0x10,%ecx
=> 0xfcfce: mov %ecx,%ds
=> 0xfcfd0: mov %ecx,%es
=> 0xfcfd2: mov %ecx,%ss
=> 0xfcfd6: mov %ecx,%gs
=> 0xfcfd8: jmp *%edx
=> 0xf1399: sub $0x8,%esp
=> 0xf139c: movl $0xf4254,0x4(%esp)
=> 0xf13a4: movl $0xf390a,(%esp)
=> 0xf13ab: call 0xee4dd
=> 0xee4dd: lea 0x8(%esp),%ecx
=> 0xee4e1: mov 0x4(%esp),%edx
=> 0xee4e5: mov $0xf4200,%eax
=> 0xee4ea: call 0xedd5a
=> 0xedd5a: push %ebp
=> 0xedd5b: push %edi
=> 0xedd5c: push %esi
=> 0xedd5d: push %ebx
=> 0xedd5e: sub $0xc,%esp
=> 0xedd61: mov %eax,%ebx
=> 0xedd63: mov %edx,0x4(%esp)
=> 0xedd67: mov %ecx,%ebp
=> 0xedd69: mov 0x4(%esp),%esi
=> 0xedd6d: movsbl (%esi),%edx
=> 0xedd70: test %dl,%dl
=> 0xedd72: je 0xedfb6
=> 0xedd78: cmp $0x25,%dl
=> 0xedd7b: jne 0xede1b
=> 0xede1b: mov %ebx,%eax
=> 0xede1d: call 0xec570
=> 0xec570: mov %eax,%ecx
=> 0xec572: movsbl %dl,%edx
=> 0xec575: call *(%ecx)
=> 0xec565: mov %edx,%eax
=> 0xec567: mov 0xf683c,%dx
=> 0xec56e: out %al,(%dx)
=> 0xec577: ret
=> 0xede22: jmp 0xedfaa
=> 0xedfaa: lea 0x1(%esi),%eax
=> 0xedfad: mov %eax,0x4(%esp)
=> 0xedfb1: jmp 0xedd69
=> 0xedd69: mov 0x4(%esp),%esi
=> 0xedd6d: movsbl (%esi),%edx
=> 0xedd70: test %dl,%dl
=> 0xedd72: je 0xedfb6
=> 0xedd78: cmp $0x25,%dl
=> 0xedd7b: jne 0xede1b
=> 0xede1b: mov %ebx,%eax
=> 0xede1d: call 0xec570
=> 0xec570: mov %eax,%ecx
=> 0xec572: movsbl %dl,%edx
=> 0xec575: call *(%ecx)
=> 0xec565: mov %edx,%eax
=> 0xec567: mov 0xf683c,%dx
=> 0xec56e: out %al,(%dx)
=> 0xec577: ret
...
中间隔开的那一段一直到 ... 就是死循环,但是如果这个时候 c continue 的话 A 又可以进 kernel,而且试了断点,并没有进 0x7c00。
找到一篇:https://stackoverflow.com/questions/11408041/how-to-debug-the-linux-kernel-with-gdb-and-qemu/33203642#33203642,把 A 窗口换成直接执行:
/usr/libexec/qemu-kvm -drive file=obj/kern/kernel.img,index=0,media=disk,format=raw -serial mon:stdio -D qemu.log -S -s
其实就是换了 gdb TCP 1234 端口,然后按照 stackoverflow 上在 B 连 1234:
target remote localhost:1234
最终 si 还是进了死循环... 另外试了 -bios 参数,也确实是使用的 seabios.bin。
已经查不动了,求大佬解答~
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.